UK FinTech companies face a regulatory environment that has become significantly more complex in 2026. Three separate frameworks — the FCA Consumer Duty, the EU AI Act, and DORA — are converging simultaneously, and each one has direct implications for how artificial intelligence can be used in financial services. This article explains how the three frameworks interact, where the obligations overlap, and what UK FinTech firms need to do before the December 2027 deadline.
The Three Frameworks Every UK FinTech Must Understand
1. FCA Consumer Duty and AI
The FCA Consumer Duty (PS22/9), which came into force in July 2023, requires firms to deliver good outcomes for retail customers. Where AI is involved in customer-facing decisions — credit scoring, product recommendations, claims handling, fraud detection — the Consumer Duty creates direct obligations around fairness, explainability, and outcome monitoring.
The FCA has been explicit in its AI discussion paper (DP5/22) that AI systems must be governed with the same rigour as any other decision-making process. This means firms cannot hide behind algorithmic complexity. If an AI system produces a poor customer outcome, the firm is responsible.
Key Consumer Duty obligations relevant to AI include: demonstrating that AI-driven products and communications are clear and not misleading; monitoring outcomes by customer segment to identify AI-driven bias or unfairness; maintaining audit trails for AI decisions that affect customer outcomes; and ensuring human oversight is available where AI makes significant decisions.
2. EU AI Act — What UK FinTech Firms Must Know
The EU AI Act applies to any organisation deploying AI systems that affect individuals in the EU — regardless of where the organisation is based. For UK FinTech firms with EU customers, EU operations, or EU-regulated entities, the Act creates direct compliance obligations.
Under Annex III of the EU AI Act, AI systems used in credit scoring, insurance risk assessment, and financial eligibility decisions are classified as high-risk. High-risk AI systems must meet requirements including: a conformity assessment before deployment; technical documentation and logging; human oversight mechanisms; accuracy and robustness testing; and registration in the EU AI Act database.
The Digital Omnibus agreement of 7 May 2026 extended the deadline for high-risk AI system compliance to December 2027. However, the fundamental obligations have not changed — only the timeline has shifted. Firms that wait until 2027 to begin preparation will not have sufficient time to comply.
3. DORA — The Digital Operational Resilience Act
DORA (Regulation EU 2022/2554) came into force across the EU on 17 January 2025. It applies to financial entities operating in the EU and their critical ICT third-party providers. Where AI systems form part of a firm’s ICT infrastructure — which is increasingly the case — DORA creates specific obligations around resilience testing, incident reporting, and third-party risk management.
For UK FinTech firms with EU operations or EU-regulated subsidiaries, DORA is already live and enforceable. AI systems that support critical or important functions must be included in ICT risk management frameworks, resilience testing programmes, and third-party oversight arrangements.
Where the Three Frameworks Overlap
The convergence of Consumer Duty, the EU AI Act, and DORA is not coincidental — it reflects a shared regulatory philosophy that AI in financial services must be governed, auditable, and explainable. The practical overlap points are significant.
Human oversight is required by all three frameworks. Consumer Duty requires firms to monitor AI-driven outcomes and intervene where they are harmful. The EU AI Act requires human oversight mechanisms for high-risk AI. DORA requires governance structures for ICT systems that support critical functions. A single human oversight framework — properly documented — can satisfy all three simultaneously.
Documentation and audit trails are required across all three frameworks. Firms that build a comprehensive AI governance documentation library will find that the same records serve multiple compliance purposes. This is an efficiency argument for acting early rather than late.
Third-party AI providers create shared obligations. If your firm uses an AI system provided by a third party — a credit scoring model, a fraud detection API, a customer service bot — you remain responsible for compliance under all three frameworks. Contractual arrangements with AI vendors must be reviewed and updated.
The Timeline Pressure
UK FinTech firms face a stacked deadline calendar. Consumer Duty is already enforced. DORA has been live since January 2025. The EU AI Act high-risk AI obligations apply from December 2027, but the conformity assessment process for a high-risk AI system typically takes six to twelve months. Firms that begin preparation in late 2026 or 2027 will not complete in time.
The practical starting point is a scoping assessment: identifying which AI systems are in use, which regulatory frameworks apply to each, and what gaps exist relative to current obligations. For most UK FinTech firms, this assessment will surface immediate Consumer Duty and DORA gaps alongside medium-term EU AI Act preparation requirements.
What to Do Now
Firms should take the following steps in the second half of 2026. First, complete an AI system inventory — map every AI tool in use, including third-party providers. Second, classify each system against EU AI Act risk categories to identify high-risk systems requiring conformity assessment. Third, review existing Consumer Duty monitoring frameworks to confirm AI-driven decisions are included. Fourth, assess DORA obligations for any AI systems supporting critical or important functions in EU operations. Fifth, build a consolidated AI governance framework that addresses all three regulatory requirements through a single programme rather than three separate workstreams.
How Wishory Can Help
Wishory’s DORA and EU AI Act Combined Assessment is designed specifically for UK FinTech firms navigating this triple regulatory pressure. The assessment covers all three frameworks in a single three-week engagement, producing a prioritised compliance roadmap and the documentation foundation required for EU AI Act conformity assessment.
Book a free 30-minute AI compliance review to discuss your firm’s specific position across Consumer Duty, the EU AI Act, and DORA.